An Epistemic Characterization of Zero Knowledge
|
|
- Jemimah O’Neal’
- 6 years ago
- Views:
Transcription
1 An Epistemic Characterization of Zero Knowledge Joseph Y. Halpern, Rafael Pass, and Vasumathi Raman Computer Science Department Cornell University Ithaca, NY, 14853, U.S.A. {halpern, rafael, March 16, 2009 Abstract Halpern, Moses and Tuttle presented a definition of interactive proofs using a notion they called practical knowledge, but left open the question of finding an epistemic formula that completely characterizes zero knowledge; that is, a formula that holds iff a proof is zero knowledge. We present such a formula, and show that it does characterize zero knowledge. Moreover, we show that variants of the formula characterize variants of zero knowledge such as concurrent zero knowledge [Dwork, Naor, and Sahai 1998] and proofs of knowledge [Feige, Fiat, and Shamir 1987; Tompa and Woll 1987].
2 1 Introduction The notions of interactive proof and zero knowledge were introduced by Goldwasser, Micali, and Rackoff [1989], and have been the subject of extensive research ever since. Informally, an interactive proof is a two-party conversation in which a prover tries to convince a polynomial-time verifier of the truth of a fact ϕ (where ϕ typically has the form x L, where x is a string and L is a language or set of strings) through a sequence interactions. An interactive proof is said to be zero knowledge if, whenever ϕ holds, the verifier has an algorithm to generate on its own the conversations it could have had with the prover during an interactive proof of ϕ (according to the correct distribution of possible conversations). Intuitively, the verifier does not learn anything from talking to the prover (other than ϕ) that it could not have learned on its own by generating the conversations itself. Consequently, the only knowledge gained by the verifier during an interactive proof is that ϕ is true. The notion of knowledge used in zero knowledge is based on having an algorithm to generate the transcript of possible conversations with the prover; the zero-knowledge condition places a restriction on what the verifier is able to generate after interacting with the prover (in terms of what he could generate before). The relationship between this ability to generate and logic-based notions of knowledge is not immediately obvious. Having a logic-based characterization of zero knowledge would enhance our understanding and perhaps allow us to apply model-checking tools to test whether proofs are in fact zero knowledge. However, getting such a characterization is not easy. Since both probability and the computational power of the prover and verifier play crucial roles in the definition of zero knowledge, it is clear that the standard notion of knowledge (truth in all possible worlds) will not suffice. Halpern, Moses and Tuttle [1988] (HMT from now on) were the first to study the relationship between knowledge and being able to generate. They presented a definition of interactive proofs using a notion they called practical knowledge. They proved that, with high probability, the verifier in a zeroknowledge proof of x L practically knows a fact ψ at the end of the proof iff it practically knows x L ψ at the beginning of the proof; they call this property knowledge security. Intuitively, this captures the idea that zero knowledge proofs do not leak knowledge of facts other than those that follow from x L. They also define a notion of knowing how to generate a y satisfying a relation R(x, y), and prove that, with high probability, if the verifier in a zero-knowledge proof of x L knows how to generate a y satisfying R(x, y) at the end of the proof, then he knows how to do so at the beginning as well; they called this property generation security. This captures the intuition that at the end of a zero-knowledge proof, the verifier cannot do anything that it could not do at the beginning. HMT left open the question of finding an epistemic formula that completely characterizes zero knowledge; that is, a formula that holds iff a proof is zero knowledge [Goldwasser, Micali, and Rackoff 1989]. In this paper we present a strengthening of knowledge security and generation security that we call relation hiding, which we show does characterize zero knowledge. Moreover, we show that variants of relation hiding characterize variants of zero knowledge such as concurrent zero knowledge [Dwork, Naor, and Sahai 1998] and proofs of knowledge [Feige, Fiat, and Shamir 1987; Tompa and Woll 1987]. 2 Background In this section, we review the relevant background both in cryptography (interactive proof systems and zero knowledge) and epistemic logic (specifically, modeling knowledge and probability using the runs 1
3 and systems framework [Fagin, Halpern, Moses, and Vardi 1995; Halpern and Tuttle 1993]). In addition, we introduce some of the notation that will be needed for our new results. 2.1 Interactive Proof Systems An interactive protocol is an ordered pair (P, V ) of probabilistic Turing machines. P and V share a read-only input tape; each has a private one-way, read-only random tape; each has a private work tape; and P and V share a pair of one-way communication tapes, one from P to V being write-only for P and read-only for V, and the other from V to P being write-only for V and read-only for P. An execution of the protocol (P, V ) is defined as follows. At the beginning, the input tape is initialized with some common input x, each random tape is initialized with an infinite sequence of random bits, each work tape may or may not be initialized with an initial string, and the communication tapes are initially blank. The execution then proceeds in a sequence of rounds. During any given round, V first performs some internal computation making use of its work tape and other readable tapes, and then sends a message to P by writing on its write-only communication tape; P then performs a similar computation. Either P or V may halt the interaction at any time by entering a halt state. V accepts or rejects the interaction by entering an accepting or rejecting halt state, respectively, in which case we refer to the resulting execution as either an accepting or rejecting execution. The running time of P and V during an execution of (P, V ) is the number of steps taken by P and V respectively, during the execution. We assume that V is a probabilistic Turing machine running in time polynomial in x, and hence that it can perform only probabilistic, polynomial-time computations during each round. For now we make no assumptions about the running time of P. Denote by (P (s) V (t))(x) the random variable that takes two random strings ρ p, ρ v {0, 1} as input and outputs an execution of (P, V ) in which the prover s work tape is initialized with s, the verifier s work tape is initialized with t, the input tape is initialized with x, and ρ p, ρ v are the contents of the prover and verifier s respective random tapes. We can think of s as the prover s auxiliary information, t as the verifier s initial information, and x as the common input. Let Accepts v [(P (s) V (t))(x)] be the random variable that takes two infinite random strings ρ p, ρ v {0, 1} as input, and outputs true iff the verifier enters an accept state at the end of the execution of the protocol (P, V ) where ρ p and ρ v are the contents of the prover and verifier s respective random tapes, and false otherwise. Informally, an interactive protocol (P, V ) is an interactive proof system for a language L if, when run on input x (and possibly some auxiliary inputs s and t), after the protocol, if the prover and verifier are both good that is, the prover uses P and the verifier uses V the verifier is almost always convinced that x L. Moreover, no matter what protocol the prover uses, the verifier will hardly ever be convinced that x L if it is not. The almost always and hardly ever are formalized in terms of negligible functions. A function ɛ : N [0, 1] is negligible if for every positive integer k there exists an n 0 N such that for all n > n 0, ɛ(n) < 1 ; that is, ɛ is eventually smaller than any inverse polynomial. n k Finally, let Pr Uk denote the uniform probability over strings in ({0, 1} ) k. For ease of notation, we typically omit the subscript k when it does not play a significant role or is clear from context, writing just Pr U. Definition 1 An interactive protocol (P, V ) is an interactive proof system for language L if the following conditions are satisfied: Completeness: There exists a negligible function ɛ such that for sufficiently large x and for every 2
4 s and t, if x L then Pr U [Accepts v [(P (s) V (t))(x)]] 1 ɛ( x ). Soundness: There exists a negligible function δ such that for sufficiently large x, for every protocol P for the prover, s, and t, if x L then Pr U [Accepts v [(P (s) V (t))(x)]] δ( x ). The completeness condition is a guarantee to both the good prover and the good verifier that if x L, then with overwhelming probability the good prover will be able to convince the good verifier that x L. The soundness condition is a guarantee to the good verifier that if x L, then the probability that an arbitrary (possibly malicious) prover is able to convince the good verifier that x L is very low. The probability here is taken over the runs of the protocol where the the verifier s initial information is s, the prover s initial information is t, and x is the common input. The probability is generated by the random coin flips of the prover and verifier (which in turn determine what happens in the run); we do not assume a probability on s, t, or x. 2.2 Zero Knowledge To make the notion of zero precise, we need a few preliminary definitions. We consider zero-knowledge proofs of languages L that have a witness relation R L, where R L is a set of pairs (x, y) such that x L iff there exists a y such that (x, y) R L ; let R L (x) = {y : (x, y) R L }. Note that all languages in the complexity class N P have this property. Define V iew v [(P (s) V (t))(x)] to be the random variable that, on input ρ p, ρ v, describes the verifier s view in the execution (P (s) V (t))(x)(ρ 1, ρ 2 ), that is, the verifier s initial auxiliary input t, the sequence of messages received and read thus far by the verifier, and the sequence of coin flips used thus far. The intuition behind zero knowledge is that the reason the verifier learns nothing from an interaction is that he can simulate it. The simulation is carried out by a probabilistic Turing machine. It should be possible to carry out the simulation no matter what algorithm the verifier uses (since we hope to show that, no matter what algorithm the verifier uses, he gains no information beyond the fact that x L), so we have a simulator S V for every algorithm V of the verifier. The simulator S V actually generates verifier views of the conversations. With perfect zero knowledge, the distribution of the views created by S V given just inputs x and t (which is all the verifier sees) is identical to the actual distribution of the verifier s views generated by (P (s) V (t))(x). With statistical zero knowledge, the two distributions are just required to be close. Finally, with computational zero knowledge, no PPT (probabilistic polynomial time) algorithm can distinguish the distributions. We capture the notion of distinguishing here by using a PPT distinguisher D. The distinguisher gets as input verifier views generated by S V and by the actual conversation, and must output either 1 or 0, depending on whether it believes the view came from S V or the actual conversation. Notice that the inputs to the simulator (x and t) are both accessible by the verifier, so the verifier could, given his initial state and the common input, run the simulator instead of interacting with the prover. The distinguisher tries to identify whether the verifier talked to the prover or ran the simulator on his own. If no distinguisher is able to tell the difference, then the verifier might as well not have interacted with the prover but run the simulator instead; we say that the interaction was zero-knowledge in this case because the verifier saw nothing during the interaction that he could not simulate. 3
5 We allow the distinguisher to have additional information in the form of auxiliary inputs (in addition to the view it is trying to distinguish). This allows the distinguisher to have information that the verifier never sees, such as information about the prover s state, since such information could be helpful in identifying views from the interaction and telling them apart from those produced by the verifier alone. Allowing the distinguisher to get such auxiliary inputs strengthens the zero knowledge requirement in that, no matter what additional information the distinguisher might have, he cannot tell apart views of the interaction from simulated ones. Definition 2 An interactive proof system (P, V ) for L is said to be computational zero knowledge if, for every PPT verifier protocol V, there is a probabilistic Turing machine S V that takes as input the common input x and verifier s auxiliary information t, runs in expected time polynomial in x, and outputs a view for the verifier such that for every PPT (probabilistic polynomial time) Turing machine D that takes as input a view of the verifier and an auxiliary input z {0, 1}, there exists a negligible function ɛ such that for all x L, s R L (x), t {0, 1}, z {0, 1}, Pr U [D(S V (x, t), z) = 1] Pr U [D(V iew v [(P (s) V (t))(x)], z) = 1] ɛ( x ). 2.3 The Runs and Systems Framework Our analysis of interactive proof systems is carried out in runs and systems framework [Fagin, Halpern, Moses, and Vardi 1995]. The systems we consider consist of a (possibly infinite) set of communicating agents. Agents share a global clock that starts at time 0 and proceeds in discrete increments of one. Computation in the system proceeds in rounds, round m lasting from time m 1 to time m. During a round, each agent first performs some (possibly probabilistic) local computation, then sends messages to other agents, and then receives all messages sent to him during that round. Each agents starts in some initial local state; its local state then changes over time. The agent s local state at time m 0 consists of the time on the global clock, the agent s initial information (if any), the history of messages the agent has received from other agents and read, and the history of coin flips used. A global state is a tuple of local states, one for each agent and one for the nature, which keeps track of information about the system not known to any of the agents. We think of each agent as following a protocol that specifies what the agent should do in every local state. An infinite execution of such a protocol (an infinite sequence of global states) is called a run. We define a system to be a set of such runs, often the set of all possible runs of a particular protocol. Given a run r and a time m, we refer to (r, m) as a point, and we say that (r, m) is a point of the system R if r R. We denote the global state at the point (r, m) (that is, the global state at time m in r) by r(m), and the local state of agent a in r(m) by r a (m). Let K a (r, m) = {(r, m ) : r a (m) = r a(m )}; K a (r, m) can be thought of as the set of points that a considers possible at (r, m), because he has the same local state at all of them. Since the agent s local state at time m consists of the time on the global clock, any point that a considers possible at (r, m) is also at time m, so K a (r, m) = {(r, m) : r a (m) = r a(m)}. In interactive proof systems, we assume that there are two agents a prover p and a verifier v. Both agents have a common input (typically a string x {0, 1} ); we denote by r c (0) the common input in run r. We also assume that the prover and verifier agents have initial local states r p (0) = s {0, 1} and r v (0) = t {0, 1}, respectively, both of which contain r c (0). Additionally, we assume that nature s state at all times m includes a tuple (ρ r p, ρ r v, ρ r, P, V ), where ρ r p and ρ r v are the prover s and verifier s 4
6 random tapes, respectively, in run r, ρ r is an additional tape whose role is explained in Section 3, and P and V are the protocols of the prover and verifier. An interactive protocol (P, V ) generates a system. The runs of the system correspond to possible executions of (P, V ). Following HMT, we denote by P V the system consisting of all possible executions of (P, V ) and by P V pp the system consisting of the union of the systems P V for all probabilistic, polynomial-time (PPT) protocols V 1. P pp V is defined analogously. More generally, we let P V denote the system consisting of the union of the systems P V for all prover protocols P P and verifier protocols V V. Since we need to reason about probability, we augment a system to get a probabilistic system, by adding a function PR a for each agent that associates with each point (r, m) a probability PR a (r, m) on points for agent a, whose support is contained in K a (r, m). In many cases of interest, we can think of PR a (r, m) as arising from conditioning an initial probability on runs on the agent s current local state, to give a probability on points. There are subtleties to doing this though. We often do not have a probability on the set of all executions of a protocol. For example, as we observed in the case of interactive proofs, we do not want to assume a probability on the auxiliary inputs s and t or the common input x. The only source of probability is the random coin flips. Halpern and Tuttle [1993] suggested a formalization of this intuition. Suppose that we partition the runs of R into cells, with a probability on each cell. For example, in the case of interactive proof systems, we could partition the runs into sets R s,t,x, according to the inputs s and t. The random coin flips of the prover and verifier protocols then give us a well-defined probability on the runs in R s,t. We can then define PR a (r, m) by conditioning in the following sense: Given a set S of points, let R(S) = {r : (r, m) S for some m}. Let R(r) be the cell of the partition of R that includes r, and let Pr R(r) be the probability on the cell. If A is an arbitrary set of points, define PR a (r, m)(a) = Pr R(r) (R(A K a (r, m)) R(K a (r, m)) R(r)). (We assume for simplicity that all the relevant sets are measurable and that Pr R(r) (R(K a (r, m)) R(r)) 0.) Note that for synchronous systems (such as those we deal with), since K a (r, m) is a set of time m points, the support of PR a (r, m) is a subset of time m points (i.e., PR a (r, m)(a) = 0 unless A includes some time m points, since otherwise A K a (r, m) = ). Intuitively, we associate a set of points with the set of runs going through it, and then define the probability PR a (r, m), which is a s distribution on points at the point (r, m), by conditioning the probability on runs defined on r s cell on the runs going through the set K a (r, m) (i.e. the runs a considers possible given his information at point (r, m)). A probabilistic system is standard if it is generated from probabilities on runs in this way. In systems where the runs are generated by randomized algorithms, the cells are typically taken so as to factor out all the nonprobabilistic or nondeterministic choices. In particular, we do this for the system P V, so that we partition the runs into cells R s,t, according to the inputs s and t, as suggested above, and take the probability on the runs in the cell to be determined solely by the random inputs of the prover and verifier ρ v and ρ p and the random string ρ contained in nature s state. Thus, we can identify the probability on R s,t with the uniform distribution Pr U3. The probabilities on the system P V are defined by the probabilities on each individual system P V for P P and V V; that is, we now partition the runs of the system into cells according to the prover and verifier protocols P, V and the inputs s and t, so there now is a separate cell for each combination of P, V, s, and t, and the probability Pr P V(r) can be identified with the uniform distribution Pr U3. 1 Note that we distinguish p and v, the prover and the verifier agents respectively, from the protocols that they are running. In the system P V, the verifier is always running the same protocol V in all runs. In the system P V pp, the verifier may be running different protocols in different runs. 5
7 2.4 Reasoning About Systems To reason about systems, we assume that we have a collection of primitive facts such as the value of the variable x is a prime number (where x is the common input in the run), or x L, where L is some set of strings. Each primitive fact ϕ is identified with a set π(ϕ) of points, interpreted as the set of points at which ϕ holds. A point (r, m) in a system R satisfies ϕ, denoted (R, r, m) = ϕ, if (r, m) π(ϕ). We extend this collection of primitive facts to a logical language by closing under the usual boolean connectives, the linear temporal logic operator, operators at time m for each time m, the epistemic operators K a, one for each agent a, and probability operators of the form for pr λ a each agent a and real number λ. The definitions of all these operators is standard: (R, r, m) = ϕ iff (R, r, m ) = ϕ for some m m. (R, r, m) = K a ϕ iff (R, r, m ) = ϕ for all (r, m ) K a (r, m). (Intuitively, agent a knows ϕ if ϕ is true at all the worlds that agent a considers possible.) (R, r, m) = at time m ϕ iff (R, r, m ) = ϕ. (R, r, m) = pr λ a(ϕ) iff PR a (r, m)([ϕ]) λ, where [ϕ] = {(r, m) : (R, r, m) = ϕ}. We write R = ϕ if (R, r, m) = ϕ for all points (r, m) in R. 3 Characterizing Zero Knowledge Using Relation Hiding We identify knowing something about the initial state of the system with being able to generate a witness for some relation on the initial state. For example, if the language L from which the common input x is taken is the set of all Hamiltonian graphs, then we can define a relation R such that R(s, t, x, y) holds iff y is a Hamiltonian cycle in graph x. (Here the relation is independent of s and t.) Recall that a Hamiltonian cycle in a graph is a path that goes through every vertex exactly once, and starts and ends at the same vertex; a Hamiltonian graph is a graph with a Hamiltonian cycle. We can think of a Hamiltonian cycle y as a witness to a graph x being Hamiltonian. We allow the relation R to depend on s and t in addition to x because this allows us to describe the possibility of the verifier learning (via the interaction) facts about the prover s initial state (which he does not have access to). This allows us to account for provers with auxiliary information on their work tapes. For example, R(s, t, x, y) could be defined to hold iff the prover has Hamiltonian path y on its work tape (in its initial state s). We are therefore interested in relations R on S T L {0, 1}, where S is the set of prover initial states and T is the set of verifier initial states. We want a formal way to capture verifier s ability to generate such witnesses for R. We do this by using an algorithm M that takes as input the verifier s local state and the common input x, and is supposed to return a y such that R(s, t, x, y) holds. The algorithm M essentially decodes the local state into a potential witness for R. More generally, we want to allow the decoding procedure M to depend on the protocol V of the verifier. We do this by using a function M : T M T M; intuitively M(V ) is the decoding procedure for the verifier protocol V. To reason about this in the language, we add a primitive proposition M v,r to the language, and define (R, r, m) = M v,r if R(r p (0), r v (0), r c (0), M(V )(r c (0), r v (m))(ρ r )) holds, where V is the verifier 6
8 protocol in run r and ρ r is the extra random tape that is part of nature s local state in run r; this makes the output of M(V ) in run r deterministic (although M is a probabilistic TM). For any constant λ, let G M,m,λ v R, read the verifier can generate a y satisfying R using M with probability λ at time m be an abbreviation of pr λ v(at time m M v,r ). We can generalize this to a formula G M,m,λ v R which considers functions λ whose meaning may depend on components of the state, such as the verifier s protocol and the length of the common input; we leave the straightforward semantic details to the reader. G M,m,λ p R, read the prover can generate a y satisfying R using M with probability λ at time m, is defined analogously. Finally, we add the primitive proposition s R L (x) to the language, and define (R, r, m) = s R L (x) if r c (0) L and r p (0) R L (r c (0)). We now show how to use the formula G M,m,λ v R to capture the intuitions underlying zero-knowledge proofs. Intuitively, we want to say that if the verifier can generate a y satisfying a relation R after the interaction, he could also do so before the interaction (i.e., without interacting with the prover at all). However, this is not quite true; a verifier can learn a y satisfying R during the course of an interaction, but only in a negligibly small fraction of the possible conversations. We want to capture the fact that the probability of the verifier being able to generate the witness correctly at a final point in the system is only negligibly different from the probability he can do so at the corresponding initial point (in a perfect zero knowledge system, the probabilities are exactly the same). Note that when the Turing machine M used by the verifier in a particular run r generates a y, the verifier may not know whether y in fact is a witness; that is, the verifier may not know whether R(s, t, x, y) in fact holds. Nevertheless, we want it to be the case that if the verifier can use some algorithm M that generates a witness y with a certain probability after interacting with the prover, then the verifier can generate a witness y with the same probability without the interaction. This lets us account for leaks in knowledge from the interaction that the verifier may not be aware of. For example, a computationally bounded verifier may have a Hamiltonian cycle y in graph x as part of his local state, but no way of knowing that y is in fact a Hamiltonian cycle. We want to say that the verifier knows how to generate a Hamiltonian cycle if this is the case (even if he does not know that he can do so), since there is a way for the verifier to extract a Hamiltonian cycle from his local state. We now define relation hiding, which says that if the verifier initially knows that he can, at some future time during the interaction with the prover, generate a witness for some relation R on the initial state with some probability, then he knows that he can generate a witness for R at time 0, that is, before the interaction, with almost the same probability. We allow the generating machines used by the verifier (both after and before the interaction) to run in expected polynomial time in the common input and verifier view. Allowing them to only run in (strict) polynomial time, would certainly also be a reasonable choice, but this would result in a notion that is stronger than the traditional notion of zero-knowledge. 2 Let EPPT be the set of all expected probabilistic polynomial time algorithms (i.e., algorithms for which there exists a polynomial p such that the expected running time on input x is at most p( x )). Definition 3 The system R is relation hiding for L if, for every polynomial-time relation R on S T L {0, 1} and function M : T M EPPT, there exist functions M : T M EPPT, ɛ : T M N [0, 1] such that for every Turing machine V, ɛ(v, ) is a negligible function, and for every 0 λ 1 and time m, R = at time 0 (s R L (x) G M,m,λ v R G M,0,λ ɛ R). 2 In fact, it would result in a notion called strict polynomial-time zero knowledge [Goldreich 2001]. v 7
9 In Definition 3, we allow the meaning of ɛ to depend on the verifier s protocol V since, intuitively, different verifier protocols may result in different amounts of knowledge being leaked. If we had not allowed ɛ to depend on the verifier protocol V, we would need a single negligible function that bounded the leakage of information for all verifiers in V pp. We cannot prove that such a function exists with the traditional definition of zero knowledge. Similarly, we must allow M to depend on the verifier s protocol, even if M does not. Intuitively, M must be able to do at time 0 what M can do at time m, so it must know something about what happened between times 0 and m. The verifier s protocol serves to provide this information, since for each verifier protocol V, the definition of zero knowledge ensures the existence of a simulator S V that can be used to mimic the interaction before time m. The relation-hiding property captures the requirement that if the verifier can eventually generate an arbitrary R, he can do so almost as well (i.e. with negligibly lower probability of correctness) initially. We now use this property to characterize zero knowledge. Theorem 1 The interactive proof system (P, V ) for L is computational zero knowledge iff the system P V pp is relation hiding for L. Theorem 1 says that if (P, V ) is a computational zero-knowledge proof system, then for any PPT verifier and relation R, if the verifier can eventually generate a witness for R, he can do so almost as well initially. Note that in this characterization of zero knowledge, the prover does not need to know the verifier s protocol to know that the statement holds. An intuition for the proof of Theorem 1 follows: the details (as well as all other proofs) can be found at For the if direction, suppose that (P, V ) is a computational zero knowledge system. If V is the verifier protocol in run r P V pp, then there is a simulator machine S V that produces verifier views that no distinguisher D can distinguish from views during possible interactions with the prover, no matter what auxiliary input D has. We show that if the verifier has an algorithm M(V ) that takes as input his view at a final point of the interaction and generates a y satisfying the relation R, then he can generate such a y before the interaction by running the simulating machine S V at the initial point to get a final view, and then running M(V ) on this view to generate y. We can therefore construct the function M using M and S V. For the only if direction, given an arbitrary protocol V, we construct a relation R such that the verifier has an algorithm for generating witnesses for R after the interaction. Since P V pp is relation hiding for L, the verifier has an algorithm for generating witnesses for R at initial points of the interaction. We then use this generating machine to implement a simulator S V that fools any distinguisher. 4 Characterizing Variants of Zero Knowledge We can use the ideas of relation hiding to characterize variants of zero knowledge. In this section, we show how to characterize two well-known variants: concurrent common knowledge and proofs of knowledge. 4.1 Concurrent Zero Knowledge So far, we have considered only single executions of an interactive proof system. However, zeroknowledge proofs are often used in the midst of other protocols. Moreover, when this is done, several 8
10 zero-knowledge proofs may be going on concurrently. An adversary may be able to pass messages between various invocations of zero-knowledge proofs to gain information. Dwork, Naor, and Sahai [1998] presented a definition of concurrent zero knowledge that tries to capture the intuition that no information is leaked even in the presence of several concurrent invocations of a zero-knowledge protocol. They consider a probabilistic polynomial-time verifier that can talk to many independent provers (all using the same protocol) concurrently. The verifier can interleave messages to and from different provers as desired. We say that an extended verifier protocol is a protocol for the verifier where the verifier can interact with arbitrarily many provers concurrently, rather than just one prover. (Since we are interested in verifiers that run in polynomial time, for each extended verifier protocol V there is a polynomial q V such that the verifier can interact with only q V ( x ) provers on input x. This means that the verifier s view also contains messages to and from at most q V ( x ) provers.) Denote by ( P (s) V (t))(x) the random variable that takes an infinite tuple of infinite random strings ((ρ pi ) i N, ρ v ) as input and outputs an execution where all the provers are running protocol P with auxiliary input s on common input x and the verifier is running the extended verifier protocol V with auxiliary input t and common input x, prover i has the infinite string ρ i on its random tape, and the verifier has ρ v on its random tape. With this background, we can define a concurrent definition of zero knowledge in exactly the same way as zero knowledge (Definition 2), except that we now consider extended verifier protocols; we omit the details here. We can model a concurrent zero-knowledge system in the runs and systems framework as follows. We now consider systems with an infinite number of agents: a verifier v and an infinite number of provers p 1, p 2,.... All agents have common input r c (0) in run r. As before, the provers and the verifier have initial local states. We will be interested in systems where all the provers have the same initial state and use the same protocol. Moreover, this will be a protocol where a prover talks only to the verifier, so the provers do not talk to each other. This captures the fact that the verifier can now talk to multiple provers running the same protocol, but the provers themselves cannot interact with each other (they are independent). Again, the initial local states of the provers and the verifier all contain r c (0). Additionally, we assume that nature s state at all times m includes a tuple (ρ r p 1,..., ρ r v, ρ r, P, V ), where ρ r p i is prover p i s random tape and ρ r v is the verifier s random tape in run r, ρ r is an additional tape as before, P is the protocol used by all the provers, and V is the verifier s protocol. Note that the provers random tapes are all independent to ensure that their actions are not correlated. Given a set P of prover protocols and V of verifier protocols, let P V denote the system with runs of this form, where the provers protocol is in P and the verifier s protocol in V. If P = {P }, we write P V. We define the probability on P V as before, partitioning the runs into cells according to the protocol used and the inputs. Thus, we can identify the probability on R s,t,p,v with the uniform distribution Pr U. Theorem 2 The interactive proof system (P, V ) for L is computational concurrent zero knowledge iff the system P V pp is relation hiding for L. The proof is almost identical to that of Theorem Proofs of Knowledge Loosely speaking, an interactive proof is a proof of knowledge if the prover not only convinces the verifier of the validity of some statement, but also that it possesses, or can feasibly compute, a witness for the statement proved (intuitively, using the secret information in its initial state). For instance, rather 9
11 than merely convincing the verifier that a graph is Hamiltonian, the prover convinces the verifier that he knows a Hamiltonian cycle in the graph. We show how this notion can be formalized using our logic. There are a number of ways of formalizing proofs of knowledge; see, for example, [Bellare and Goldreich 1992; Feige, Fiat, and Shamir 1987; Feige and Shamir 1990; Tompa and Woll 1987]. We give here a definition that is essentially that of Feige and Shamir [1990]. In the full paper, we discuss modifications that give the other variants, and how to modify our characterization to handle them. Definition 4 An interactive proof system (P, V ) for a language L with witness relation R L is a proof of knowledge if, for every PPT prover protocol P, there exists a negligible function ɛ and a probabilistic Turing machine E P that takes as input the common input x and prover s auxiliary information s, runs in expected time polynomial in x, and outputs a candidate witness for x, such that for all x, s, t {0, 1}, Pr U [{Accepts v [(P (s) V (t))(x)]}] Pr U [{E P (x, s)) R L (x)}] ɛ( x ). Intuitively, this says that for every prover P, if P succeeds in convincing the verifier V that x is in L, then there is a knowledge extractor machine E P that can extract a witness for x from the prover s auxiliary information. We can think of the extractor as demonstrating that the prover really does know a witness to show that x L, given its auxiliary information s. We now formalize this definition of proofs of knowledge using our logic. Let accepts denote the primitive proposition that holds iff the verifier enters an accept state at the end of the interaction. Definition 5 The system R is witness convincing for the language L with witness relation R L if there exist functions M : T M EPPT, ɛ : T M N [0, 1] such that, for every Turing machine P, ɛ(p, ) is a negligible function, and, for all 0 λ 1, where (s, t, x, y) R + L iff y R L(x). R = at time 0 pr λ p( accepts) G M,0,λ ɛ p R + L, This definition says that there exists a function M such that M(P ) can generate a y such that (s, t, x, y) R + L whenever P makes the verifier accept in the system R. This machine can be viewed as a knowledge extractor for P, motivating the following theorem. Theorem 3 The interactive proof system (P, V ) for L is a proof of knowledge iff the system P pp V is witness convincing for L. To see why this should be true, note that if (P, V ) is a proof of knowledge and if the verifier accepts on input x when interacting with P, then there exists a knowledge extractor machine E P that can generate a witness y R L (x), and can therefore generate a y such that (s, t, x, y) R + L. For the converse, as we said above, the machine M(P ) that exists by the definition of witness convincing can be viewed as a knowledge extractor for P. Again, the details can be found at The major difference between the FFS and TW difference is that, in the FFS definition, rather than allowing a different machine E P for every prover protocol P, FFS require that there be a single knowledge extractor machine E that has oracle access to the prover s protocol and a fixed bivariate 10
12 polynomial p such that the running time of E given a prover P with runtime bounded by a polynomial q and input x is p(q( x, x ). To capture this difference. we vary the definition of witness convincing to require that M(P ) for any P return the same machine M that takes (a description of) P as an input and has expected runtime polynomial in the runtime of P and x. 5 Conclusions and Future Work HMT formalized the notion of knowledge security and showed that a zero-knowledge proof system for x L satisfies it: the prover is guaranteed that, with high probability, if the verifier will practically know (as defined in [Moses 1988]) a fact ϕ at the end of the proof, he practically knows x L ϕ at the start. They also formalized the notion of knowing how to generate a y satisfying any relation R(x, y) that is BPP-testable by the verifier, and showed that zero-knowledge proofs also satisfy the analogous property of generation security (with respect to these relations). Their work left open the question of whether either of these notions of security characterizes zero knowledge. We have provided a different definition of what it means for a polynomial-time agent to know how to generate a string y satisfying a relation R. Using this definition we provide a logical statement called relation hiding that fully characterizes when an interaction is zero knowledge. We additionally show that variants of this statement (using the same notion of knowing how to generate) characterize variants of zero knowledge, including concurrent zero knowledge and proofs of knowledge. Our notion of relation hiding considers the verifier s knowledge at the beginning of a run (i.e. at time 0); it says that, at time 0, the verifier cannot know that he will be able to generate a witness for a relation with higher probability in the future than he currently can. We would like to make the stronger claim that the verifier will never know that he can generate a witness satifying the relation better than he knows he can at the beginning (or, more accurately, will almost certainly never know this, since there is always a negligible probability that he will learn something). To do this, we need to talk about the verifier s knowledge and belief at all points in the system. Consider, for example, a verifier trying to factor a large number. We would like to allow for the fact that the verifier will, with some small probability, get the correct answer just by guessing. However, we want to be able to say that if, after interacting with the prover, the verifier believes that he can guess the factors with non-negligible probability then, except with very small probability, he already believed that he could guess the factors with almost the same probability before the interaction. Making this precise seems to require some axioms about how a computationally-bounded verifier s beliefs evolve. We are currently working on this, using Rantala s impossible possible-worlds approach [Rantala 1982] to capture the verifiers computational bounds. For example, if the verifier cannot compute whether a number n is prime, he will consider possible a world where n is prime and one where it is not (although one of these worlds is logically impossible). Proving analogues of our theorem in this setting seems like an interesting challenge, which will lead to a deeper understanding of variants of zero knowledge. A Proofs A.1 Computational Zero Knowledge Theorem 1: The interactive proof system (P, V ) for L is computational zero knowledge iff the system P V pp is relation hiding for L. 11
13 Proof. For the if direction, suppose that (P, V ) is a computational zero knowledge system and that (P V pp, r, 0) = G M,m,λ v R for a polynomial-time relation R and functions M : T M EPPT and λ : T M N [0, 1]. We want to show that there exist functions M : T M EPPT and ɛ : T M N [0, 1] such that (P V pp, r, 0) = G M,0,λ ɛ v R. The intuition behind the proof is as follows. If (P, V ) is zero knowledge, and V is the verifier protocol in run r, then there is a simulator machine S V that produces verifier views that no distinguisher D can distinguish from views during possible interactions with the prover, no matter what auxiliary input D has. We show that if the verifier has an algorithm M(V ) that takes as input his view at a final point of the interaction and generates a y satisfying the relation R, then he can generate such a y before the interaction by running the simulating machine S V at the initial point to get a final view, and then running M(V ) on this view to generate y. We can therefore construct the function M using M and S V. In more detail, we want to show (P V pp ) = at time 0 (s R L (x) G M,m,λ v R G M,0,λ ɛ v R). Thus, we must show that for all runs r, we have (P V pp, r, 0) = (s R L (x) G M,m,λ v R G M,0,λ ɛ v R). So suppose that r c (0) L, r p (0) R L (r c (0)), and ({P } V pp, r, 0) = G M,m,λ v R. By definition, this means that (P V pp, r, 0) = pr λ v(at time m M v,r ). Assume without loss of generality that m is greater than the final time of the interaction in all runs with input x. (There is such an m, since V runs in time polynomial in x. This assumption is made without loss of generality since we are assuming perfect recall, so anything the verifier can do in the middle of the interaction, he can do at the end). Construct a PPT distinguisher D as follows. D takes as input a verifier view view v and extracts the verifier s initial state t from it (since by perfect recall, the initial verifier state is contained in any subsequent view). Recall that distinguishers can take auxiliary inputs as well as a view. In this case, in run r we choose to give D as auxiliary input the common input x and the prover s state s in r. Given x and s and a random string ρ, D runs M(V ) on x, view v, and ρ, where V is the verifier s protocol in run r, to get y, and outputs R(s, t, x, y). So D with inputs x, s, and ρ accepts the verifier s view view v iff R(s, t, x, M(V )(view v )(ρ)) = 1 for the t contained in the verifier s view. Suppose that the verifier runs V in r. Since (P V pp, r, 0) = pr λ v(at time m M v,r ), we have PR v (r, 0)({(r, 0) : (P V, r, 0) = at time m M v,r }, r v(0) = r v (0), r p(0) = r p (0)}) λ(v, r c (0) ). Recall that we can identify PR v (r, 0) with Pr U3, so (Pr U ({r (P V)(r) : (P V, r, 0) = at time m M v,r, r v(0) = r v (0), r p(0) = r p (0)}) λ(v, r c (0) ). By definition of M v,r, Pr U [{r (P V)(r) : R(r p(0), r v(0), r c(0), M(V )(r c(0), r v(m ))) = 1}] λ(v, r c (0) ). By definition of (P V)(r), Pr U [R(r p (0), r v (0), r c (0), M(V )(r c (0), r v (m ))) = 1] λ(v, r c (0) ). Thus, D with auxiliary inputs r c (0) and r p (0) accepts the verifier s view r(m ) with probability at least λ(v, r c (0) ) (where the probability is taken over the random choices of D). Because (P, V ) is a computational zero-knowledge proof system for L, if r c (0) L and r p (0) R L (r c (0)), then there is an expected PPT Turing machine S V and a negligible function ɛ(v ) such that S V on input r c (0), r v (0) outputs a verifier view such that every distinguisher, and in particular 12
14 the distinguisher D constructed above, accepts this view with probability at least (λ ɛ)(v, r c (0) ) (taken over the random choices of D and S V ), no matter what auxiliary information we give it, and in particular given auxiliary inputs r c (0) and r p (0). Thus, by the definition of D, we must have Pr U [R(r p (0), r v (0), r c (0), M(V )(r c (0), r v (m ))) = 1] λ(v, r c (0) ). Define M : T M EPPT by taking M (V )(x, t) = M(V )(x, S V (x, t)). Note that this definition suppresses the random choices of M (V ), S V and M(V ) we assume that each of these machines is given a random tape, and that the random tapes of S V and M(V ) are independent, so that their outputs are not correlated. Since S V and M(V ) are both expected polynomial-time in x and t, so is M (V ). Note also that iff thus, R(r p (0), r v (0), r c (0), M (V )(r c (0), r v (0))(ρ r )) = 1 R(r p (0), r v (0), r c (0), M(V )(r c (0), S V (r c (0), r v (0))(ρ r v))(ρ r )) = 1; Pr U [R(r p (0), r v (0), r c (0), M (V )(r c (0), r v (0))) = 1] (λ ɛ)(v, r c (0) ). So M (V ) runs in expected polynomial time and outputs a value such that This completes the proof of the if direction. (P V pp, r, 0) = pr λ ɛ v (at time 0 M v,r). For the only if direction, we want to show that for every verifier protocol V, there is an EPPT algorithm S V such that for any PPT distinguisher D with any auxiliary input, there exists a negligible function ɛ such that x L, s R L (x), t, z {0, 1}, Pr U [{D(S V (x, t), z) = 1}] Pr U [{D(V iew v [(P (s) V (t))(x)], z) = 1}] ɛ( x ). The idea behind the proof is as follows. Given an arbitrary protocol V, we construct a relation R such that the verifier has an algorithm for generating witnesses for R after the interaction. Since P V pp is relation hiding for L, the verifier has an algorithm for generating witnesses for R at initial points of the interaction. We then use this generating machine to implement a simulator S V that fools any distinguisher. Recall that the set of possible verifier initial states is the set of all bitstrings {0, 1}. For an arbitrary PPT distinguisher D, define the set T D {0, 1} of verifier states of the form t = t ; 1 poly( x ) ; D; z; ρ D, where t {0, 1}, x L, D is the description of the PPT distinguisher, z {0, 1}, ρ D {0, 1}, and poly( ) is some polynomial. Define a relation R by taking R(s, t, x, y) = 1 iff t is of the form t = t ; 1 poly( x ) ; D; z; ρ D and the distinguisher D contained in t accepts on input y when given the random string ρ D and auxiliary input z contained in t (otherwise R(s, t, x, y) = 0). Define M(V ) to be the trivial machine that on input (r c (0), r v (m)) outputs the verifier s view r v (m). Suppose that there exists a function λ and a set A of runs such that for all r A, if m r is the final round in run r, then (P V pp, r, 0) = G M,m r,λ v R. Since P V pp is relation hiding for 13
15 L, there exists a function M : T M EPPT and a function ɛ : T M N such that ɛ(v ) is negligible and for all r A, (P V pp, r, 0) = s R L (x) G M,0,λ ɛ v R. Define S V by taking S V (x, t)(ρ) = M (V )(x, t)(ρ). Suppose, by way of contradiction, that for some distinguisher D there is a polynomial p such that for infinitely many x L, s R L (x), and t {0, 1}, there is a z {0, 1} such that there exist functions λ z 1 and λz 2 (that may depend on z) such that Pr U [{D(S V (x, t), z) = 1}] = λ z 1 (x, s, t), Pr U[{D(V iew v [(P (s) V (t))(x)], z) = 1}] = λ z 2 (x, s, t), and λz 1 (x, s, t) λz 1 2 (x, s, t) > p( x ). Consider the set T D,S V T D of verifier states of the form t = t ; 1 q( x ) ; D; z; ρ D, where q is a polynomial such that q( x ) is an upper bound on the running time of the verifier protocol V and the simulator S V on input x. The effect of this choice is that, given the verifier s state, the verifier and simulator cannot access the distinguisher description. Therefore, V iew v [(P (s) V (t))(x)(ρ p, ρ v )] = V iew v [(P (s) V (t ))(x)(ρ p, ρ v )] and S V (x, t)(ρ v ) = S V (x, t )(ρ v ). If there exists z {0, 1} such that the distinguisher D, given auxiliary input z, succeeds in distinguishing the distributions {V iew v [(P (s) V (t ))(x)} and {S V (x, t )}, then D can distinguish {V iew v [(P (s) V (t))(x)} and {S V (x, t)} given z. By construction of T D,SV, for infinitely many x L, s R L (x) and t T D,SV, there exist functions λ z 1 and λz 2 such that Pr U[{D(S V (x, t), z) = 1}] = λ z 1 (x, s, t), Pr U[{D(V iew v [(P (s) V (t))(x)], z) = 1}] = λ z 2 (x, s, t), and λz 1 (x, s, t) λz 1 2 (x, s, t) > p( x ) (the z referenced here is contained in t). Without loss of generality, we can assume that λ z 2 (x, s, t) λz 1 1 (x, s, t) > p( x ) for infinitely many of the relevant x s, s s, and t s. To see that this is without loss of generality, note that if λ z 2 (x, s, t) λz 1 1 (x, s, t) > p( x ) for only a finite number of x s, s s, and t s, then it must be the case that λ z 1 (x, s, t) λz 1 2 (x, s, t) > p( x ) for infinitely many x s, s s, and t s. In this case, we can define a distinguisher D that outputs the opposite of what D outputs when given the same view and auxiliary input. Then for infinitely many x L, s, and t, there exists z {0, 1} such that Pr U [{D (S V (x, t), z) = 1}] = λ z 1 (x, s, t), Pr U[{D (V iew v [(P (s) V (t))(x)], z) = 1}] = λ z 1 2 (x, s, t), and λ z 2 (x, s, t) λ z 1 (x, s, t) > p( x ) where λ z 1 = 1 λz 1 and λ z 2 = 1 λz 2. We can then proceed with the rest of the proof using the distinguisher D instead of D. Let A denote the set of tuples (x, s, t) (with x L, s R L (x), t T D,SV ) for which there exists z {0, 1} and functions λ z 1, λz 2 such that Pr U [{D(S V (x, t), z) = 1}] = λ z 1 (x, s, t), Pr U[{D(V iew v [(P (s) V (t))(x)], z) = 1}] = λ z 2 (x, s, t), and λz 2 (x, s, t) λz 1 1 (x, s, t) > p( x ). In the system P Vpp, let A = {r P V : (r c (0), r p (0), r v (0)) A}. So for all r A, Pr U [{D(S V (r c (0), r v (0)), z) = 1}] = λ z 1 (r c(0), r p (0), r v (0)) (where z is contained in r p (0)), Pr U [{D(V iew v [(P (r p (0)) V (r v (0)))(r c (0))], z) = 1}] = λ z 2 (r c(0), r p (0), r v (0)), and λ z 2 (r c(0), r p (0), r v (0)) λ z 1 (r 1 c(0), r p (0), r v (0)) > p( r. c(0) ) So for all r A, if m r is the final round in run r, then by definition of R, M, and M, Pr U [R(r p (0), r v (0), r c (0), M(V )(r c (0), r v (m r)))] = λ z 2(r c (0), r p (0), r v (0)), Pr U [R(r p (0), r v (0), r c (0), M (V )(r c (0), r v (0)))] = λ z 1(r c (0), r p (0), r v (0)), and λ z 2(r c (0), r p (0), r v (0)) λ z 1(r c (0), r p (0), r v (0)) > 1 p( r c (0) ). 14
An Epistemic Characterization of Zero Knowledge
An Epistemic Characterization of Zero Knowledge Joseph Y. Halpern, Rafael Pass, and Vasumathi Raman Computer Science Department Cornell University Ithaca, NY, 14853, U.S.A. e-mail: {halpern, rafael, vraman}@cs.cornell.edu
More informationZero-Knowledge Proofs and Protocols
Seminar: Algorithms of IT Security and Cryptography Zero-Knowledge Proofs and Protocols Nikolay Vyahhi June 8, 2005 Abstract A proof is whatever convinces me. Shimon Even, 1978. Zero-knowledge proof is
More informationLecture 18: Zero-Knowledge Proofs
COM S 6810 Theory of Computing March 26, 2009 Lecture 18: Zero-Knowledge Proofs Instructor: Rafael Pass Scribe: Igor Gorodezky 1 The formal definition We intuitively defined an interactive proof to be
More informationNotes on Complexity Theory Last updated: November, Lecture 10
Notes on Complexity Theory Last updated: November, 2015 Lecture 10 Notes by Jonathan Katz, lightly edited by Dov Gordon. 1 Randomized Time Complexity 1.1 How Large is BPP? We know that P ZPP = RP corp
More informationON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL
1 ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL GIOVANNI DI CRESCENZO Telcordia Technologies, Piscataway, NJ, USA. E-mail: giovanni@research.telcordia.com IVAN VISCONTI Dipartimento di Informatica
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationAugmented Black-Box Simulation and Zero Knowledge Argument for NP
Augmented Black-Box Simulation and Zero Knowledge Argument for N Li Hongda, an Dongxue, Ni eifang The Data Assurance and Communication Security Research Center, School of Cyber Security, University of
More information1 Recap: Interactive Proofs
Theoretical Foundations of Cryptography Lecture 16 Georgia Tech, Spring 2010 Zero-Knowledge Proofs 1 Recap: Interactive Proofs Instructor: Chris Peikert Scribe: Alessio Guerrieri Definition 1.1. An interactive
More informationNon-Interactive ZK:The Feige-Lapidot-Shamir protocol
Non-Interactive ZK: The Feige-Lapidot-Shamir protocol April 20, 2009 Remainders FLS protocol Definition (Interactive proof system) A pair of interactive machines (P, V ) is called an interactive proof
More informationParallel Coin-Tossing and Constant-Round Secure Two-Party Computation
Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Dept. of Computer Science and Applied Math. The Weizmann Institute of Science Rehovot 76100, Israel. lindell@wisdom.weizmann.ac.il
More informationImpossibility and Feasibility Results for Zero Knowledge with Public Keys
Impossibility and Feasibility Results for Zero Knowledge with Public Keys Joël Alwen 1, Giuseppe Persiano 2, and Ivan Visconti 2 1 Technical University of Vienna A-1010 Vienna, Austria. e9926980@stud3.tuwien.ac.at
More informationInteractive Zero-Knowledge with Restricted Random Oracles
Interactive Zero-Knowledge with Restricted Random Oracles Moti Yung 1 and Yunlei Zhao 2 1 RSA Laboratories and Department of Computer Science, Columbia University, New York, NY, USA. moti@cs.columbia.edu
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More informationConcurrent Non-malleable Commitments from any One-way Function
Concurrent Non-malleable Commitments from any One-way Function Margarita Vald Tel-Aviv University 1 / 67 Outline Non-Malleable Commitments Problem Presentation Overview DDN - First NMC Protocol Concurrent
More informationA Framework for Non-Interactive Instance-Dependent Commitment Schemes (NIC)
A Framework for Non-Interactive Instance-Dependent Commitment Schemes (NIC) Bruce Kapron, Lior Malka, Venkatesh Srinivasan Department of Computer Science University of Victoria, BC, Canada V8W 3P6 Email:bmkapron,liorma,venkat@cs.uvic.ca
More informationImpossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs
Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs Dafna Kidron Yehuda Lindell June 6, 2010 Abstract Universal composability and concurrent general composition
More informationA Note on Negligible Functions
Appears in Journal of Cryptology Vol. 15, 2002, pp. 271 284. Earlier version was Technical Report CS97-529, Department of Computer Science and Engineering, University of California at San Diego, March
More informationHow to Go Beyond the Black-Box Simulation Barrier
How to Go Beyond the Black-Box Simulation Barrier Boaz Barak December 30, 2008 Abstract The simulation paradigm is central to cryptography. A simulator is an algorithm that tries to simulate the interaction
More informationLecture 26. Daniel Apon
Lecture 26 Daniel Apon 1 From IPPSPACE to NPPCP(log, 1): NEXP has multi-prover interactive protocols If you ve read the notes on the history of the PCP theorem referenced in Lecture 19 [3], you will already
More informationLecture 26: Arthur-Merlin Games
CS 710: Complexity Theory 12/09/2011 Lecture 26: Arthur-Merlin Games Instructor: Dieter van Melkebeek Scribe: Chetan Rao and Aaron Gorenstein Last time we compared counting versus alternation and showed
More informationFrom Secure MPC to Efficient Zero-Knowledge
From Secure MPC to Efficient Zero-Knowledge David Wu March, 2017 The Complexity Class NP NP the class of problems that are efficiently verifiable a language L is in NP if there exists a polynomial-time
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationMagic Functions. In Memoriam Bernard M. Dwork
Magic Functions In Memoriam Bernard M. Dwork 1923 1998 Cynthia Dwork Moni Naor Omer Reingold Larry Stockmeyer Abstract We prove that three apparently unrelated fundamental problems in distributed computing,
More informationUsing Counterfactuals in Knowledge-Based Programming
Using Counterfactuals in Knowledge-Based Programming Joseph Y. Halpern Cornell University Dept. of Computer Science Ithaca, NY 14853 halpern@cs.cornell.edu http://www.cs.cornell.edu/home/halpern Yoram
More informationOn Achieving the Best of Both Worlds in Secure Multiparty Computation
On Achieving the Best of Both Worlds in Secure Multiparty Computation Yuval Ishai Jonathan Katz Eyal Kushilevitz Yehuda Lindell Erez Petrank Abstract Two settings are traditionally considered for secure
More informationHow many rounds can Random Selection handle?
How many rounds can Random Selection handle? Shengyu Zhang Abstract The construction of zero-knowledge proofs can be greatly simplified if the protocol is only required be secure against the honest verifier.
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 9
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 9 Lecture date: March 7-9, 2005 Scribe: S. Bhattacharyya, R. Deak, P. Mirzadeh 1 Interactive Proof Systems/Protocols 1.1 Introduction
More informationProbabilistically Checkable Arguments
Probabilistically Checkable Arguments Yael Tauman Kalai Microsoft Research yael@microsoft.com Ran Raz Weizmann Institute of Science ran.raz@weizmann.ac.il Abstract We give a general reduction that converts
More informationPrecise Zero Knowledge
Precise Zero Knowledge Silvio Micali Rafael Pass December 1, 2007 Abstract We put forward the notion of Precise Zero Knowledge and provide its first implementations in a variety of settings under standard
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation
More informationLecture 5. 1 Review (Pairwise Independence and Derandomization)
6.842 Randomness and Computation September 20, 2017 Lecture 5 Lecturer: Ronitt Rubinfeld Scribe: Tom Kolokotrones 1 Review (Pairwise Independence and Derandomization) As we discussed last time, we can
More informationParallel Repetition of Zero-Knowledge Proofs and the Possibility of Basing Cryptography on NP-Hardness
Parallel Repetition of Zero-Knowledge Proofs and the Possibility of Basing Cryptography on NP-Hardness Rafael Pass Cornell University rafael@cs.cornell.edu January 29, 2007 Abstract Two long-standing open
More informationInteractive protocols & zero-knowledge
Interactive protocols & zero-knowledge - interactive protocols formalize what can be recognized by polynomial time restricted verifiers in arbitrary protocols - generalizes NP - zero-knowledge formalizes
More informationLecture 15: Interactive Proofs
COM S 6830 Cryptography Tuesday, October 20, 2009 Instructor: Rafael Pass Lecture 15: Interactive Proofs Scribe: Chin Isradisaikul In this lecture we discuss a new kind of proofs that involves interaction
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 23 (rev. 1) Professor M. J. Fischer November 29, 2005 1 Oblivious Transfer Lecture Notes 23 In the locked
More informationLecture 3. 1 Terminology. 2 Non-Deterministic Space Complexity. Notes on Complexity Theory: Fall 2005 Last updated: September, 2005.
Notes on Complexity Theory: Fall 2005 Last updated: September, 2005 Jonathan Katz Lecture 3 1 Terminology For any complexity class C, we define the class coc as follows: coc def = { L L C }. One class
More informationInteractive protocols & zero-knowledge
Interactive protocols & zero-knowledge - interactive protocols formalize what can be recognized by polynomial time restricted verifiers in arbitrary protocols - generalizes NP - zero-knowledge formalizes
More information20.1 2SAT. CS125 Lecture 20 Fall 2016
CS125 Lecture 20 Fall 2016 20.1 2SAT We show yet another possible way to solve the 2SAT problem. Recall that the input to 2SAT is a logical expression that is the conunction (AND) of a set of clauses,
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationZero-Knowledge Against Quantum Attacks
Zero-Knowledge Against Quantum Attacks John Watrous Department of Computer Science University of Calgary January 16, 2006 John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP
More informationLecture 3,4: Universal Composability
6.897: Advanced Topics in Cryptography Feb 5, 2004 Lecture 3,4: Universal Composability Lecturer: Ran Canetti Scribed by: Yael Kalai and abhi shelat 1 Introduction Our goal in these two lectures is to
More informationOn the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner 1, Alon Rosen 2, and Ronen Shaltiel 3 1 Microsoft Research, New England Campus. iftach@microsoft.com 2 Herzliya Interdisciplinary
More informationMTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R
More information6.897: Selected Topics in Cryptography Lectures 7 and 8. Lecturer: Ran Canetti
6.897: Selected Topics in Cryptography Lectures 7 and 8 Lecturer: Ran Canetti Highlights of past lectures Presented a basic framework for analyzing the security of protocols for multi-party function evaluation.
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor Hard Core Bits Coin Flipping Over the Phone Zero Knowledge Lecture 10 (version 1.1) Tel-Aviv University 18 March 2008. Slightly revised March 19. Hard Core
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More informationCryptographic Protocols Notes 2
ETH Zurich, Department of Computer Science SS 2018 Prof. Ueli Maurer Dr. Martin Hirt Chen-Da Liu Zhang Cryptographic Protocols Notes 2 Scribe: Sandro Coretti (modified by Chen-Da Liu Zhang) About the notes:
More informationRound-Optimal Fully Black-Box Zero-Knowledge Arguments from One-Way Permutations
Round-Optimal Fully Black-Box Zero-Knowledge Arguments from One-Way Permutations Carmit Hazay 1 and Muthuramakrishnan Venkitasubramaniam 2 1 Bar-Ilan University 2 University of Rochester Abstract. In this
More informationLecture 12: Interactive Proofs
princeton university cos 522: computational complexity Lecture 12: Interactive Proofs Lecturer: Sanjeev Arora Scribe:Carl Kingsford Recall the certificate definition of NP. We can think of this characterization
More informationComputability Crib Sheet
Computer Science and Engineering, UCSD Winter 10 CSE 200: Computability and Complexity Instructor: Mihir Bellare Computability Crib Sheet January 3, 2010 Computability Crib Sheet This is a quick reference
More informationLecture 2: Program Obfuscation - II April 1, 2009
Advanced Topics in Cryptography Lecture 2: Program Obfuscation - II April 1, 2009 Lecturer: S. Goldwasser, M. Naor Scribe by: R. Marianer, R. Rothblum Updated: May 3, 2009 1 Introduction Barak et-al[1]
More informationLecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics
0368.4162: Introduction to Cryptography Ran Canetti Lecture 11 12th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics Introduction to cryptographic protocols Commitments 1 Cryptographic
More informationNotes on BAN Logic CSG 399. March 7, 2006
Notes on BAN Logic CSG 399 March 7, 2006 The wide-mouthed frog protocol, in a slightly different form, with only the first two messages, and time stamps: A S : A, {T a, B, K ab } Kas S B : {T s, A, K ab
More informationFoundations of Cryptography
- 111 - Foundations of Cryptography Notes of lecture No. 10B & 11 (given on June 11 & 18, 1989) taken by Sergio Rajsbaum Summary In this lecture we define unforgeable digital signatures and present such
More informationLecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.
CS 221: Computational Complexity Prof. Salil Vadhan Lecture Notes 17 March 31, 2010 Scribe: Jonathan Ullman 1 Interactive Proofs ecall the definition of NP: L NP there exists a polynomial-time V and polynomial
More information6.897: Advanced Topics in Cryptography. Lecturer: Ran Canetti
6.897: Advanced Topics in Cryptography Lecturer: Ran Canetti Focus for first half (until Spring Break): Foundations of cryptographic protocols Goal: Provide some theoretical foundations of secure cryptographic
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 19 November 8, 2017 CPSC 467, Lecture 19 1/37 Zero Knowledge Interactive Proofs (ZKIP) ZKIP for graph isomorphism Feige-Fiat-Shamir
More informationComplexity Theory VU , SS The Polynomial Hierarchy. Reinhard Pichler
Complexity Theory Complexity Theory VU 181.142, SS 2018 6. The Polynomial Hierarchy Reinhard Pichler Institut für Informationssysteme Arbeitsbereich DBAI Technische Universität Wien 15 May, 2018 Reinhard
More informationOutline. Complexity Theory EXACT TSP. The Class DP. Definition. Problem EXACT TSP. Complexity of EXACT TSP. Proposition VU 181.
Complexity Theory Complexity Theory Outline Complexity Theory VU 181.142, SS 2018 6. The Polynomial Hierarchy Reinhard Pichler Institut für Informationssysteme Arbeitsbereich DBAI Technische Universität
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationLecture 10: Zero-Knowledge Proofs
Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationDelegateable Signature Using Witness Indistinguishable and Witness Hiding Proofs
Delegateable Signature Using Witness Indistinguishable and Witness Hiding Proofs Chunming Tang 1, Dingyi Pei 1,2 Zhuojun Liu 3 1 Institute of Information Security of Guangzhou University, P.R.China 2 State
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationZero Knowledge and Soundness are Symmetric
Zero Knowledge and Soundness are Symmetric Shien Jin Ong and Salil Vadhan School of Engineering and Applied Sciences Harvard University Cambridge, Massachusetts, USA {shienjin,salil}@eecs.harvard.edu Abstract.
More informationLecture 13: Private Key Encryption
COM S 687 Introduction to Cryptography October 05, 2006 Instructor: Rafael Pass Lecture 13: Private Key Encryption Scribe: Ashwin Machanavajjhala Till this point in the course we have learnt how to define
More informationCMSC 858K Advanced Topics in Cryptography March 4, 2004
CMSC 858K Advanced Topics in Cryptography March 4, 2004 Lecturer: Jonathan Katz Lecture 12 Scribe(s): Omer Horvitz Zhongchao Yu John Trafton Akhil Gupta 1 Introduction Our goal is to construct an adaptively-secure
More informationAn Identification Scheme Based on KEA1 Assumption
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationA Computational Game-Theoretic Framework for Cryptography
A Computational Game-Theoretic Framework for Cryptography Joseph Y. Halpern Cornell University halpern@cs.cornell.edu Rafael Pass Cornell University rafael@cs.cornell.edu October 21, 2011 Abstract We develop
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationReductions for One-Way Functions
Reductions for One-Way Functions by Mark Liu A thesis submitted in partial fulfillment of the requirements for degree of Bachelor of Science (Honors Computer Science) from The University of Michigan 2013
More informationHandout 5. α a1 a n. }, where. xi if a i = 1 1 if a i = 0.
Notes on Complexity Theory Last updated: October, 2005 Jonathan Katz Handout 5 1 An Improved Upper-Bound on Circuit Size Here we show the result promised in the previous lecture regarding an upper-bound
More information2 Natural Proofs: a barrier for proving circuit lower bounds
Topics in Theoretical Computer Science April 4, 2016 Lecturer: Ola Svensson Lecture 6 (Notes) Scribes: Ola Svensson Disclaimer: These notes were written for the lecturer only and may contain inconsistent
More informationCommitment Schemes and Zero-Knowledge Protocols (2011)
Commitment Schemes and Zero-Knowledge Protocols (2011) Ivan Damgård and Jesper Buus Nielsen Aarhus University, BRICS Abstract This article is an introduction to two fundamental primitives in cryptographic
More informationCSC 5170: Theory of Computational Complexity Lecture 9 The Chinese University of Hong Kong 15 March 2010
CSC 5170: Theory of Computational Complexity Lecture 9 The Chinese University of Hong Kong 15 March 2010 We now embark on a study of computational classes that are more general than NP. As these classes
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationCommon Knowledge and Consistent Simultaneous Coordination
Common Knowledge and Consistent Simultaneous Coordination Gil Neiger College of Computing Georgia Institute of Technology Atlanta, Georgia 30332-0280 gil@cc.gatech.edu Mark R. Tuttle DEC Cambridge Research
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More informationHow to Go Beyond the Black-Box Simulation Barrier
How to Go Beyond the Black-Box Simulation Barrier Boaz Barak Department of Computer Science, Weizmann Institute of Science Rehovot, ISRAEL boaz@wisdom.weizmann.ac.il November 13, 2001 Abstract The simulation
More informationConstant-Round Concurrently-Secure rzk in the (Real) Bare Public-Key Model
Electronic Colloquium on Computational Complexity, Revision 1 of Report No. 48 (2005) Constant-Round Concurrently-Secure rzk in the (Real) Bare Public-Key Model Moti Yung Yunlei Zhao Abstract We present
More information1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds
1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds Amos Beimel Department of Computer Science Ben Gurion University Be er Sheva, Israel Eran Omri Department of Computer
More informationStatistical WI (and more) in Two Messages
Statistical WI (and more) in Two Messages Yael Tauman Kalai MSR Cambridge, USA. yael@microsoft.com Dakshita Khurana UCLA, USA. dakshita@cs.ucla.edu Amit Sahai UCLA, USA. sahai@cs.ucla.edu Abstract Two-message
More informationExpressing Security Properties Using Selective Interleaving Functions
Expressing Security Properties Using Selective Interleaving Functions Joseph Halpern and Sabina Petride August 8, 2008 Abstract McLean s notion of Selective Interleaving Functions (SIFs) is perhaps the
More informationAn Introduction to Probabilistic Encryption
Osječki matematički list 6(2006), 37 44 37 An Introduction to Probabilistic Encryption Georg J. Fuchsbauer Abstract. An introduction to probabilistic encryption is given, presenting the first probabilistic
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 18 November 3, 2014 CPSC 467, Lecture 18 1/43 Zero Knowledge Interactive Proofs (ZKIP) Secret cave protocol ZKIP for graph isomorphism
More informationLecture 3: Reductions and Completeness
CS 710: Complexity Theory 9/13/2011 Lecture 3: Reductions and Completeness Instructor: Dieter van Melkebeek Scribe: Brian Nixon Last lecture we introduced the notion of a universal Turing machine for deterministic
More informationComputational Complexity of Bayesian Networks
Computational Complexity of Bayesian Networks UAI, 2015 Complexity theory Many computations on Bayesian networks are NP-hard Meaning (no more, no less) that we cannot hope for poly time algorithms that
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationLecture 4 : Quest for Structure in Counting Problems
CS6840: Advanced Complexity Theory Jan 10, 2012 Lecture 4 : Quest for Structure in Counting Problems Lecturer: Jayalal Sarma M.N. Scribe: Dinesh K. Theme: Between P and PSPACE. Lecture Plan:Counting problems
More informationConstant-round Leakage-resilient Zero-knowledge from Collision Resistance *
Constant-round Leakage-resilient Zero-knowledge from Collision Resistance * Susumu Kiyoshima NTT Secure Platform Laboratories, Tokyo, Japan kiyoshima.susumu@lab.ntt.co.jp August 20, 2018 Abstract In this
More informationInteractive PCP. Yael Tauman Kalai Georgia Institute of Technology Ran Raz Weizmann Institute of Science
Interactive PCP Yael Tauman Kalai Georgia Institute of Technology yael@csail.mit.edu Ran Raz Weizmann Institute of Science ran.raz@weizmann.ac.il Abstract A central line of research in the area of PCPs
More informationOn the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner 1,,AlonRosen 2,, and Ronen Shaltiel 3, 1 Microsoft Research, New England Campus iftach@microsoft.com 2 Herzliya Interdisciplinary
More informationSimulation in Quasi-Polynomial Time, and Its Application to Protocol Composition
Simulation in Quasi-Polynomial Time, and Its Application to Protocol Composition Rafael Pass Department of Numerical Analysis and Computer Science, Royal Institute of Technology, 100 44 Stockholm, Sweden.
More informationOn Constant-Round Concurrent Zero-Knowledge
On Constant-Round Concurrent Zero-Knowledge Rafael Pass and Muthuramakrishnan Venkitasubramaniam Cornell University, {rafael,vmuthu}@cs.cornell.edu Abstract. Loosely speaking, an interactive proof is said
More informationNP, polynomial-time mapping reductions, and NP-completeness
NP, polynomial-time mapping reductions, and NP-completeness In the previous lecture we discussed deterministic time complexity, along with the time-hierarchy theorem, and introduced two complexity classes:
More informationLecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension
CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits
More informationSession 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University
Session 4: Efficient Zero Knowledge Yehuda Lindell Bar-Ilan University 1 Proof Systems Completeness: can convince of a true statement Soundness: cannot convince for a false statement Classic proofs: Written
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 9 February 6, 2012 CPSC 467b, Lecture 9 1/53 Euler s Theorem Generating RSA Modulus Finding primes by guess and check Density of
More informationThe Round-Complexity of Black-Box Zero-Knowledge: A Combinatorial Characterization
The Round-Complexity of Black-Box Zero-Knowledge: A Combinatorial Characterization Daniele Micciancio and Scott Yilek Dept. of Computer Science & Engineering, University of California, San Diego 9500 Gilman
More information